---
layout: api
page_title: /sys/mounts - HTTP API
description: The `/sys/mounts` endpoint is used to manage secrets engines in Vault.
---

# `/sys/mounts`

The `/sys/mounts` endpoint is used to manage secrets engines in Vault.

## List mounted secrets engines

This endpoints lists all the mounted secrets engines.

| Method | Path          |
| :----- | :------------ |
| `GET`  | `/sys/mounts` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/mounts
```

### Sample response

```json
{
  "request_id": "48d2c601-97a0-3904-f549-4fcbc740d718",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "cubbyhole/": {
      "accessor": "cubbyhole_eb4503de",
      "config": {
        "default_lease_ttl": 0,
        "force_no_cache": false,
        "max_lease_ttl": 0
      },
      "description": "per-token private secret storage",
      "external_entropy_access": false,
      "local": true,
      "options": null,
      "plugin_version": "",
      "running_plugin_version": "v1.12.0+builtin.vault",
      "running_sha256": "",
      "seal_wrap": false,
      "type": "cubbyhole",
      "uuid": "79ddaa52-fa07-6f19-653a-f0777f6439fd"
    },
    "identity/": {
      "accessor": "identity_68a03448",
      "config": {
        "default_lease_ttl": 0,
        "force_no_cache": false,
        "max_lease_ttl": 0
      },
      "description": "identity store",
      "external_entropy_access": false,
      "local": false,
      "options": null,
      "plugin_version": "",
      "running_plugin_version": "v1.12.0+builtin.vault",
      "running_sha256": "",
      "seal_wrap": false,
      "type": "identity",
      "uuid": "45f79a67-58f7-3f87-892c-9032084e7801"
    },
    "secret/": {
      "accessor": "kv_aedd93c1",
      "config": {
        "default_lease_ttl": 0,
        "force_no_cache": false,
        "max_lease_ttl": 0
      },
      "deprecation_status": "supported",
      "description": "key/value secret storage",
      "external_entropy_access": false,
      "local": false,
      "options": {
        "version": "2"
      },
      "plugin_version": "",
      "running_plugin_version": "v0.13.0+builtin",
      "running_sha256": "",
      "seal_wrap": false,
      "type": "kv",
      "uuid": "8074a73f-6921-c0cd-589a-016405dc46ec"
    },
    "sys/": {
      "accessor": "system_f8df2902",
      "config": {
        "default_lease_ttl": 0,
        "force_no_cache": false,
        "max_lease_ttl": 0,
        "passthrough_request_headers": ["Accept"]
      },
      "description": "system endpoints used for control, policy and debugging",
      "external_entropy_access": false,
      "local": false,
      "options": null,
      "plugin_version": "",
      "running_plugin_version": "v1.12.0+builtin.vault",
      "running_sha256": "",
      "seal_wrap": false,
      "type": "system",
      "uuid": "c79f4f66-4cfa-4521-9d31-b1238b0a6800"
    }
  },
  "warnings": null
}
```

`default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults
are used by this backend.

## Enable secrets engine

This endpoint enables a new secrets engine at the given path.

| Method | Path                |
| :----- | :------------------ |
| `POST` | `/sys/mounts/:path` |

### Parameters

- `path` `(string: <required>)` – Specifies the path where the secrets engine
  will be mounted. This is specified as part of the URL.

  !> **NOTE:** Use ASCII printable characters to specify the desired path.

- `type` `(string: <required>)` – Specifies the type of the backend, such as
  "aws".

- `description` `(string: "")` – Specifies the human-friendly description of the
  mount.

- `config` `(map<string|string>: nil)` – Specifies configuration options for
  this mount; if set on a specific mount, values will override any global
  defaults (e.g. the system TTL/Max TTL)

  - `default_lease_ttl` `(string: "")` - The default lease duration, specified
    as a string duration like "5s" or "30m".

  - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
    string duration like "5s" or "30m".

  - `force_no_cache` `(bool: false)` - Disable caching.

  - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be
    HMAC'd by audit devices in the request data object.

  - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be
    HMAC'd by audit devices in the response data object.

  - `listing_visibility` `(string: "")` - Specifies whether to show this mount
    in the UI-specific listing endpoint. Valid values are `"unauth"` or
    `"hidden"`. If not set, behaves like `"hidden"`.

  - `passthrough_request_headers` `(array: [])` - List of headers to allow
    and pass from the request to the plugin.

  - `allowed_response_headers` `(array: [])` - List of headers to allow,
    allowing a plugin to include them in the response.

  - `plugin_version` `(string: "")` – Specifies the semantic version of the plugin
    to use, e.g. "v1.0.0". If unspecified, the server will select any matching
    unversioned plugin that may have been registered, the latest versioned plugin
    registered, or a built-in plugin in that order of precedence.

  - `allowed_managed_keys` `(array: [])` - List of managed key registry entry names
    that the mount in question is allowed to access.

  - `delegated_auth_accessors` `(array: [])` - List of allowed authentication mount
    accessors the backend can request delegated authentication for.

  - `identity_token_key` `(string: "")` - The key to use for signing plugin workload
    identity tokens. If not provided, this will default to Vault's OIDC
    [default key](/vault/docs/concepts/oidc-provider#keys).

- `options` `(map<string|string>: nil)` - Specifies mount type specific options
  that are passed to the backend.

  _Key/Value (KV)_

  - `version` `(string: "1")` - The version of the KV to mount. Set to "2" for mount
    KV v2.

Additionally, the following options are allowed in Vault open-source, but
relevant functionality is only supported in Vault Enterprise:

- `local` `(bool: false)` – Specifies if the secrets engine is a local mount
  only. Local mounts are not replicated nor (if a secondary) removed by
  replication.

- `seal_wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
  values stored by the mount to be wrapped by the seal's encryption capability.

- `external_entropy_access` `(bool: false)` - Enable the secrets engine to access
  Vault's external entropy source.

### Sample payload

```json
{
  "type": "aws",
  "config": {
    "force_no_cache": true
  }
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/mounts/my-mount
```

## Disable secrets engine

This endpoint disables the mount point specified in the URL.

| Method   | Path                |                    |
| :------- | :------------------ | ------------------ |
| `DELETE` | `/sys/mounts/:path` | `204 (empty body)` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/sys/mounts/my-mount
```

### Force disable

Because disabling a secrets engine revokes secrets associated with this mount,
possible errors can prevent the secrets engine from being disabled if the
revocation fails.

The best way to resolve this is to figure out the underlying issue and then
disable the secrets engine once the underlying issue is resolved. Often, this can be as
simple as increasing the timeout (in the event of timeout errors).

For recovery situations where the secret was manually removed from the
secrets backing service, one can force a secrets engine disable in Vault by
performing a [force revoke](/vault/api-docs/system/leases)
on the mount prefix, followed by a secrets disable when that completes.
If the underlying secrets were not manually cleaned up, this method might result
in dangling credentials. This is meant for extreme circumstances.

## Get the configuration of a secret engine

This endpoint returns the configuration of a specific secret engine.

| Method | Path                |
| :----- | :------------------ |
| `GET`  | `/sys/mounts/:path` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/mounts/cubbyhole
```

### Sample response

```json
{
  "config": {
    "default_lease_ttl": 0,
    "force_no_cache": false,
    "max_lease_ttl": 0
  },
  "description": "per-token private secret storage",
  "accessor": "cubbyhole_db85f061",
  "external_entropy_access": false,
  "options": null,
  "uuid": "9c0e211a-904d-e41d-e1a2-7f1ff2bb8461",
  "type": "cubbyhole",
  "local": true,
  "seal_wrap": false,
  "request_id": "efdab917-ade2-1802-b8fa-fe2e6486d4e5",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "accessor": "cubbyhole_db85f061",
    "config": {
      "default_lease_ttl": 0,
      "force_no_cache": false,
      "max_lease_ttl": 0
    },
    "description": "per-token private secret storage",
    "external_entropy_access": false,
    "local": true,
    "options": null,
    "plugin_version": "",
    "running_plugin_version": "v1.12.0+builtin.vault",
    "running_sha256": "",
    "seal_wrap": false,
    "type": "cubbyhole",
    "uuid": "9c0e211a-904d-e41d-e1a2-7f1ff2bb8461"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}
```

## Read mount configuration

This endpoint reads the given mount's configuration. Unlike the `mounts`
endpoint, this will return the current time in seconds for each TTL, which may
be the system default or a mount-specific value.

| Method | Path                     |
| :----- | :----------------------- |
| `GET`  | `/sys/mounts/:path/tune` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
```

### Sample response

```json
{
  "default_lease_ttl": 3600,
  "max_lease_ttl": 7200,
  "force_no_cache": false
}
```

## Tune mount configuration

This endpoint tunes configuration parameters for a given mount point.

| Method | Path                     |
| :----- | :----------------------- |
| `POST` | `/sys/mounts/:path/tune` |

### Parameters

- `default_lease_ttl` `(int: 0)` – Specifies the default time-to-live. This
  overrides the global default. A value of `0` is equivalent to the system
  default TTL.

- `max_lease_ttl` `(int: 0)` – Specifies the maximum time-to-live. This
  overrides the global default. A value of `0` are equivalent and set to the
  system max TTL.

- `description` `(string: "")` – Specifies the description of the mount. This
  overrides the current stored value, if any.

- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys that
  will not be HMAC'd by audit devices in the request data object.

- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys that
  will not be HMAC'd by audit devices in the response data object.

- `listing_visibility` `(string: "")` - Specifies whether to show this mount in
  the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
  If not set, behaves like `"hidden"`.

- `passthrough_request_headers` `(array: [])` - List of headers to allow
  and pass from the request to the plugin.

- `allowed_response_headers` `(array: [])` - List of headers to allow,
  allowing a plugin to include them in the response.

- `allowed_managed_keys` `(array: [])` - List of managed key registry entry names
  that the mount in question is allowed to access.

- `plugin_version` `(string: "")` – Specifies the semantic version of the plugin
  to use, e.g. "v1.0.0". Changes will not take effect until the mount is reloaded.

- `delegated_auth_accessors` `(array: [])` - List of allowed authentication mount
  accessors the backend can request delegated authentication for.

### Sample payload

```json
{
  "default_lease_ttl": 1800,
  "max_lease_ttl": 3600
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/mounts/my-mount/tune
```
